A “critical” vulnerability that risked $24 billion in user funds was quietly patched earlier this month by developers at, a scaling framework for —though not before one attacker was able to steal $1.8 million in Polygon’s MATIC token.
The exploit was shared by white hat hackers on bug bounty platform ImmuneFi on December 3. An upgrade was initiated within 48 hours and, in a blog post Wednesday, the Polygon team explained that they chose not to reveal the incident until it was patched.
“Considering the nature of this upgrade, it had to be executed without attracting too much attention,” they wrote.
If left unaddressed, thevulnerability would have allowed attackers to mint more than 9.2 billion MATIC tokens (from a total supply of 10 billion) from its genesis contract. But Polygon’s prompt upgrade execution meant that no user funds were lost, and the upgrade was completed without a hitch.
All you need to know about the recent Polygon network update.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33
— Polygon | $MATIC 💜 (@0xPolygon) December 29, 2021
$2 million in MATIC stolen
However, the quick-fix hard fork didn’t come soon enough to prevent one malicious attacker from using the exploit to steal over 800,000 MATIC (then worth around $1.8 million), before the patch was instituted—a loss that Polygon Foundation said it would cover.
The project’s co-founder Jaynti Kanani said that such a situation was bound to occur “sooner or later,” but the outcome was a testament to the network’s resilience.
“Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances,” he said. The market appears to agree, with MATIC currency trading at $2.56—up 41% over the past month.
Polygon, which aims to address some of Ethereum’s major limitations—including throughput and transaction efficiency—has made major strides throughout the past year. Most recently decentralized exchange (V3 launch, sending MATIC to fresh highs.) announced that it would use the network for its
However, the $98 billion decentralized finance ( ) industry has suffered a series of high-profile attacks, most of which have been focused on flash loans. Around $474 million in funds was stolen from the DeFi sector in the first six months of 2021, according to data from forensics startup CipherTrace.